Re: how to ignore scans from trusted hosts?

[Neil Dickey <neil () geol niu edu>]

Tony Lill <ajlill () ajlc waterloo on ca> wrote in response to me:

>    Neil> Roeland Weve <roeland () office netland nl> wrote asking:
>
>    >> I've seen it in a snort.conf version where the trusted host
>    >> 'www.snort.org' was ignored from getting alerts from.  Now I'm
>    >> getting alerts from some trusted hosts and want to ignore them
>    >> by putting them in the snort.conf file.  I forgot how to do
>    >> that, is it still possible and how can I do it?
>
>    Neil> Yes, you need to write a "pass" rule, e.g.:
>
>    Neil>   pass tcp 205.164.217.39 80 <> any any
>
> That won't stop it from complaining about portscans, since that is
> handled in a pre-preocessor (before the rules are matched). What you
> need to to is write a tcpdump-style filter to exclude the host, eg.

That is true, but I assumed from the context of Roeland's original post
that the problem he was having derived from Snort rules and not the
preprocessor.  I may have been incorrect in that.

> not ( tcp and host trusted.host and port 80 )
>
> and either append it to the command line or put it in a file and use
> the -F option to snort.

I have successfully used this syntax near the head of my snort.conf file ...

  preprocessor portscan-ignorehosts: 111.222.333.444/24 555.666.777.888/8

... where the number of domains to be ignored was not large.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users